Professional Documents
Culture Documents
(English) Cybersecurity Handbook For Civil Society Organizations - 0
(English) Cybersecurity Handbook For Civil Society Organizations - 0
Handbook
for
This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/ or send a letter
to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.
Table of Contents
Visual Legend 4
What assets does your organization have and what do you want to protect? 9
Who are your adversaries and what are their capabilities and motivations? 9
What threats does your organization face? And how likely and high-impact are they? 10
Secure Devices 26
Browsing Securely 54
4 CyberSecurity Handbook
1 2
3 4
5 6
5
The Top 10
These ten elements are critical to your organization’s security plan. If you are looking for
somewhere to start, look here first.
1 2
Conduct regular security training Be alert to phishing and have a
within your organization reporting system
3 4
Use encryption for all Require strong passwords and
communication - end-to-end, implement a password manager
when possible across your organization
5 6
Require two factor Ensure all staff devices and
authentication wherever software are kept up to date
possible
7 8
Use secure cloud storage Use HTTPS and, if appropriate, a
VPN, for accessing the internet
9 10
Protect your organization’s Develop an organizational
physical assets incident response plan
6 CyberSecurity Handbook
Authors & Acknowledgments
Lead Author: Evan Summers (NDI)
Contributing Authors: Sarah Moulton (NDI); Chris Doten (NDI)
In developing this Handbook, we’d like (OrgSec) Community. This Handbook is designed to
complement those more in-depth materials, combining key
to particularly thank our expert external lessons into a one-stop, easy-to-read resource for civil society
reviewers who provided us with valuable organizations looking to get started on a cybersecurity plan.
feedback, edits, and suggestions as we pulled
In addition to taking indirect inspiration from many wonderful
together this content, including: resources compiled by the community, we have directly copied
useful language from a handful of existing resources as well
Fiona Krakenburger, Open Technology Fund; Bill Budington throughout this Handbook, particularly the Electronic Frontier
and Shirin Mori, Electronic Frontier Foundation; Jocelyn Foundation’s Surveillance Self Defense Guide, Tactical Tech’s
Woolbright, Cloudflare; Martin Shelton, Freedom of the Press Holistic Security Manual, and a range of explainers from the
Foundation; Dave Leichtman, Microsoft; Stephen Boyce, Center for Democracy and Technology and the Freedom of
International Foundation for Electoral Systems; Amy Studdart, the Press Foundation. You can find specific citations to these
International Republican Institute; Emma Hollingsworth, resources throughout the sections below, and complete links,
Global Cyber Alliance; Caroline Sinders, Convocation Design + author, and license information within Appendix A.
Research; Dhyta Caturani; Sandra Pepera, NDI; Aaron Azelton,
NDI; and Whitney Pfeifer, NDI. We also strongly recommend that anyone reading this
Handbook make use of the extensive library of digital security
We also want to acknowledge all the incredible manuals, guides and resources compiled and updated by the Open
guides, workbooks, training modules and other materials Technology Fund.
developed and maintained by the Organizational Security
7
Who is this Handbook for?
This Handbook was written with a simple goal there are likely hundreds of other smaller attacks each year
that go undetected or unreported, many aimed at civil society
in mind: to help your civil society organization organizations working to support democracy, accountability,
develop an understandable and implementable and human rights. Organizations representing women or other
cybersecurity plan. marginalized groups are often particularly targeted.
8 CyberSecurity Handbook
1 What assets does your organization
have and what do you want to protect?
You can start answering these questions by creating a catalog them (perhaps multiple digital or physical places), and what
of all your organization’s assets. Information such as messages, prevents others from accessing, damaging, or disrupting them.
emails, contacts, documents, calendars, and locations are all Keep in mind that not everything is equally important. If
possible assets. Phones, computers and other devices can be some of the organization’s data is a matter of public record, or
assets. And people, connections, and relationships might be information you already publish, they are not secrets that you
assets too. Make a list of your assets and try to catalog them need to protect.
by their importance to the organization, where you keep
9
3 What threats does your organization
face? And how likely and high-impact
are they?
10 CyberSecurity Handbook
Creating your Organizational
Cybersecurity Plan
While every organization’s security plan will
look a little bit different based upon its risk Security Plan Starter Kit
assessment and organizational dynamics,
certain core concepts are nearly universal.
This Handbook addresses these essential concepts in a way that To help your organization process
will help your organization build a concrete security plan based
the Handbook’s lessons and turn
upon practical solutions and real-world applications.
them into a real plan, make use of
This Handbook endeavors to provide options and suggestions this starter kit. You can either print
that are free or very low cost. Keep in mind that the most
out the kit or fill it in digitally while
significant cost associated with implementing an effective
security plan will be the time you and your organization need to you read the Handbook online. As
talk about, learn, and implement your new plan. Given the risks you take notes and begin to update
your organization is likely to face, though, this investment will
or craft your security plan, be sure to
be more than worth it.
reference the “Security Plan Building
In each section, you will find an explanation of a key topic that Blocks” detailed in each section. No
your organization and its staff should be aware of - what it
security plan is complete without, at
is and why it is important. Each topic is paired with essential
strategies, approaches, and recommended tools to limit your minimum, addressing these essential
risk and tips and links to additional resources that can help you elements.
implement such recommendations across your organization.
Take advantage of other resources that can help you build and implement your plan as well. As a Civil Society
organization, the free SOAP (“Securing Organizations with Automated Policymaking”) app can help simplify and
automate the creation of your security plan.
Also make use of free training resources like Consumer Reports’ Security Planner, the Umbrella app from Security First,
the Totem Project from Free Press Unlimited and Greenhost, and the Global Cyber Alliance Cybersecurity Toolkit for
Mission Based Organizations, which include resources on many of the best practices mentioned in this Handbook and
links to dozens of training tools to help you implement many core basics.
11
Building a
Culture of
Security
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
12 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Security is all about people, and to protect that will build the resilience of your staff and
your organization you need to make sure organization in the face of security threats. One
that everyone involved takes cybersecurity of the simplest but most important steps to take
seriously. Changing culture is hard, but a few to build this organizational security culture is to
simple steps and important conversations can communicate about it within your organization,
go a long way towards creating an atmosphere and for leaders to always model good behavior.
As is described in detail in Tactical Tech’s and facilitating a discussion on security between members of
the organization, which can help develop the idea that security
Holistic Security Guide, it is essential to create is everyone’s responsibility and not just that of a select few
regular, safe spaces to talk about the different or the “IT Team.” As you begin to formalize discussion about
aspects of security. security, staff will likely feel more comfortable discussing
these important issues amongst themselves as well in less
This way, if team members have concerns around security, they formal settings.
will be less anxious about seeming paranoid or wasteful of
other people’s time. Scheduling regular conversations about It is also important to incorporate security elements into
security also normalizes the frequency of interaction and the normal functioning of the organization, such as during
reflection on matters relating to security, so that the issues employee onboarding – and thinking about cutting off access
are not forgotten, and team members are more likely to bring to systems during off-boarding. Security should not be some
at least a passive awareness of security to their ongoing work. “extra thing” to worry about, but rather an integral part of your
It does not need to be every week, but make it a recurring strategy and operations.
reminder. These discussions should not only leave space for
topics of technical security, but also issues that impact staff Remember that all security plans should be
comfort and safety such as community conflict, online (and considered living documents, and should be re-
offline) harassment, or issues with using and implementing
digital tools. Conversations can even include topics like offline evaluated and discussed regularly, especially
information-sharing habits and the ways staff do or do not when new employees or volunteers join the
secure information outside of work. After all, it is important organization or your security context changes.
to remember that an organization’s security is only as
strong as its weakest link. One way to accomplish consistent
Plan to revisit your strategy and make updates annually,
engagement is by adding security to the agenda of a regular
or if there are major changes in strategy, tools, or the
meeting. You can also rotate the responsibility for organizing
threats you face.
Part of a successful security culture is also through all the elements and steps of the plan so that there is
no mystery or confusion about what you are trying to achieve.
ensuring buy-in across your organization to Many donors now require grantees to maintain strong security,
your security plan. so stressing this to staff can be a good way to create deeper
organizational buy-in as well. When talking about security, avoid
Critically this must include strong, vocal support and guidance scare tactics. Sometimes the threats that your organization and
from organizational leaders who will, in many cases, be the ones staff face can be scary, but try to focus on sharing facts and
making the final decision to allocate time, resources, and energy creating a calm space for questions and concerns. Making the
towards developing and implementing an effective security dangers seem too threatening can cause people to dismiss you
plan. If they do not take it seriously, no one else will. To achieve as sensationalist or simply give up, thinking nothing they do
this buy-in across the organization, think carefully about when matters – and nothing could be further from the truth.
and how to introduce your plan, do so in a clear manner, make
sure leadership reinforces the messages, and walk everyone
Once you have developed and committed to upon varying levels of familiarity with digital tools and the
internet. A fear of failure only further disincentivizes staff
a plan, think about how you will train all staff from reporting problems or seeking help. However, creating
(and volunteers) on these new best practices. positive accountability and rewards for successful training
and adoption of policies can help incentivize improvement
Requiring regular training - and making attendance of training across the organization. You may find additional valuable
mandatory and an evaluation point for staff performance support through local or international digital security training
reviews - can be a helpful tactic. Avoid creating harsh, networks and free training resources such as the Umbrella
negative consequences for staff who struggle with security app from Security First, the Totem Project from Free Press
concepts. Keep in mind that certain staff may adapt to Unlimited and Greenhost, and the Global Cyber Alliance
and learn about technology differently than others based Learning Portal.
14 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
o Schedule regular conversations and trainings about security and your security plan.
o Get everyone involved - distribute responsibility for implementing your security
plan across the entire organization.
o Ensure leadership models good security behavior and a commitment to your plan.
o Avoid fear tactics or punishment - reward improvement and create a comfortable
space for staff to report problems and seek help.
o Update your security plan annually or after major changes in the organization.
16 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Why the focus on accounts and devices? matter how secure your messaging apps are. Or if an adversary
Because they form the foundation of everything gains access to your organization’s social media accounts, they
could easily harm your reputation and credibility, undermining
that your organization does digitally. the success of your work. Therefore it is essential as an
organization to ensure that everyone is taking some simple
You almost certainly access sensitive information, but effective steps to keep their devices and accounts secure.
communicate internally and externally, and save private It is important to note that these recommendations include
information on them. If they are not secure, then all these personal accounts and devices as well, as those are often easy
things and more can be put at risk. For example, if hackers targets for adversaries. Hackers will gladly go after the easiest
are watching your keystrokes or listening to your microphone, target and break into a personal account or home computer if
private conversations with colleagues will be captured no your team is using them to communicate and access important
information.
The widely publicized SolarWinds hack revealed in Facebook in 2020. According to their report, hacking
late 2020, which compromised over 250 organizations, groups in Bangladesh targeted the accounts of local civil
including most United States government departments, society activists, journalists, and religious minorities.
technology vendors like Microsoft and Cisco, and NGOs Unfortunately the hackers were able to successfully
was partly a result of hackers guessing poor passwords compromise some of these Facebook accounts, including
that were used on important administrator accounts. an administrator for a local group’s Facebook Page. With
Overall, about 80 percent of all hacking-related breaches access to the admin account, the hackers removed the
occur because of weak or reused passwords. remaining admins and took over and disabled the page,
preventing the group from sharing key information
With the increasing prevalence of password breaches and communicating to their audience. Facebook’s
like this and easier access for all kinds of adversaries investigation discovered that the accounts were likely
to sophisticated password hacking tools, password best compromised through various means, including abuse of
practices and two-factor authentication are a security its account recovery process. If all the accounts had been
must-haves for civil society organizations. One example using two-factor authentication, such attacks would have
of civil society accounts under attack was reported by been much more difficult for the hackers to effectively
execute.
1
A Strong Foundation: Securing Accounts and Devices 17
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
In today’s world it is likely that your Think about the different accounts that individual staff and
the organization as a whole may have: email, chat apps, social
organization and its staff have dozens if not media, online banking, cloud data storage, as well as clothing
hundreds of accounts that, if breached, could stores, the local restaurants, newspapers, and many other
expose sensitive information or even get at-risk website or app that you log into. Good security in today’s world
requires a diligent approach to protecting all of these accounts
individuals hurt. from attacks. That starts with ensuring good password hygiene
and the use of two-factor authentication throughout the entire
organization.
The longer the password is, the harder it is for an adversary to guess it.
Most password hacks are done by computer programs these days, and it
LENGTH does not take those nefarious programs long to crack a short password.
As a result, it is essential that your passwords are at minimum 16
characters, or at least five words, and preferably longer.
Perhaps the most common password “worst practice” is using the same
password for multiple sites. Repeating passwords is a big problem because
it means that when just one of those accounts is compromised, any other
accounts using that same password are vulnerable too. If you use the same
UNIQUENESS passphrase on multiple sites, it can greatly increase the impact of one
mistake or data breach. While you may not care about your password for
the local library, if it is hacked and you use the same password on a more
sensitive account, important information could be stolen.
18 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
One easy way to achieve these goals of length, randomness, and uniqueness is picking three or four common but
random words. For example, your password could be “flower lamp green bear” which is easy to remember but hard to
guess. You can take a look at this website from Better Buys to see an estimate of just how quickly bad passwords can
be cracked.
Instead of using your browser (such as Chrome, shown at left) to save your passwords, use a dedicated password
manager (like Bitwarden, shown at right). Password managers have features that make life both more secure and
convenient for your organization.
20 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
You can strengthen your entire organization’s password for staff. You can securely share credentials within the
practices and ensure all individual staff have access to password manager itself to different user accounts.
(and use) a password manager by implementing one And Bitwarden, for example, also provides a convenient
across the entire organization. Instead of having each end-to-end encrypted text and file sharing feature called
individual staff member set up their own, consider “ Bitwarden Send” within its team plan. Both of these
investing in a “team” or “business” plan. For example, features give your organization more control over who
Bitwarden’s “teams organization” plan costs $3USD can see and share which passwords, and provides a more
per user per month. With it (or other team plans from secure option for sharing credentials for team-wide or
password managers like 1Password), you have the ability group accounts. If you do set up an organization-wide
to manage all shared passwords across the organization. password manager, be sure that someone is specifically
The features of an organization-wide password manager in charge of removing staff accounts and changing any
not only provide greater security but also convenience shared passwords when someone leaves the team.
22 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
If your organization provides email accounts to all staff follow these instructions to enforce 2FA for your domain.
through Google Workspace (formerly known as GSuite) or You can do something similar in Microsoft 365 following
Microsoft 365 using your own domain (for example, @ these steps as a domain admin.
ndi.org), you can enforce 2FA and strong security settings
for all accounts. Such enforcement not only helps protect Consider also enrolling your organization’s accounts
these accounts, but it also acts as a way to introduce in the Advanced Protection Program (Google) or
and normalize 2FA to your staff so that they are more AccountGuard (Microsoft) to enforce additional security
comfortable with adopting it for personal accounts controls and require physical security keys for two-factor
as well. As a Google Workspace administrator, you can authentication.
24 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Secure Accounts
o Require strong passwords for all organizational accounts; encourage the same for
staff and volunteer’s personal accounts.
o Implement a trusted password manager for the organization (and encourage use in
staff’s personal lives as well).
• Require a strong primary password and 2FA for all password manager accounts.
• Remind everyone to log out of a password manager on shared devices or when at
heightened risk of device theft or confiscation.
o Change shared passwords when staff leave the organization.
o Only share passwords securely, such as through your organization’s password
manager or end-to-end encrypted apps.
o Require 2FA on all organizational accounts, and encourage staff to setup 2FA on all
personal accounts as well.
• If possible, provide physical security keys to all staff.
• If security keys are not in your budget, encourage the use of authenticator apps
instead of SMS or phone calls for 2FA.
o Hold regular training to ensure staff are aware of password and 2FA best practices,
including what makes a strong password and the importance of never reusing
passwords, only accepting legitimate 2FA requests, and generating backup 2FA
codes.
Secure Devices
In addition to accounts, it is essential to keep requires Chinese companies to provide data to the central
government. Therefore, despite the ubiquitous and inexpensive
all devices – computers, phones, USBs, external presence of smartphones like Huawei or ZTE, they should be
hard drives, etc. – well protected. avoided. Although the cost of cheap hardware can be very
attractive to an organization, the potential security risks for
Such protection starts with being careful about what type organizations advocating for democracy, human rights, or
of devices your organization and staff purchase and use. accountability should steer you towards other device options,
Any vendors or manufacturers that you select should have a as this access to data has helped facilitate the Chinese
demonstrated track record of adhering to global standards government and other governments’ targeting of certain
regarding the secure development of hardware devices (like individuals and communities. Your adversaries can compromise
phones and computers). Any devices you procure should be the security of your devices - and everything you do from those
manufactured by trusted companies that do not have an devices - by either gaining physical access or “remote” access to
incentive to hand over data and information to a potential your device.
adversary. It is important to note that the Chinese government
Some of the world’s most advanced malware has been discontinued file sharing program). For those targets
developed and deployed across the globe to target civil who opened the files, their devices became infected with
society organizations and human rights defenders. In software that recorded audio, intercepted keystrokes and
India, for example, Amnesty International reported that messages, and in effect put them under full surveillance
at least nine human rights defenders were targeted in of the attackers. Such attacks, which are frequently aimed
2020 with spyware (a type of malicious software) on at civil society groups and their individual staff, are an
their mobile devices and computers. The spyware was unfortunately common way for attackers to gain “remote”
delivered through a series of phishing emails with links access to a device.
to infected files shared through Firefox Send (a since
26 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
28 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Malware in the Real World: Never accept and run applications that come from websites
you do not know and trust. Rather than accepting an “update”
Updates Are Essential offered in a pop-up browser window, for example, check
for updates on the relevant application’s official website.
In 2017, the WannaCry ransomware attacks As discussed in the Phishing Section of the Handbook, it is
infected millions of devices around the world, essential to stay alert when browsing websites. Check the
shutting down hospitals, government entities, destination of a link (by hovering over it) before you click, and
large and small organizations and businesses glance at the website address after you follow a link and make
in dozens of countries. Why was the attack so sure it looks appropriate before entering sensitive information
effective? Because of out of date, “unpatched” like your password. Do not click through error messages
Windows operating systems, many of which were or warnings, and watch for browser windows that appear
initially pirated. Much of the damage – human automatically and read them carefully instead of just clicking
and financial – could have been avoided with Yes or OK.
better automated updating practices and the use
of legitimate operating systems.
What about smartphones?
As with computers, keep your phone’s operating system and
applications up to date, and turn on automatic updates. Install
only from official or trusted sources like Google’s Play Store and
Apple’s App Store (or F-droid, a free, open-source app store for
Android). Apps can have malware inserted into them and still
appear to work normally, so you will not always know if one
is malicious. Be sure that you are downloading the legitimate
version of an app as well. Especially on Androids, “fake” versions
of popular applications exist. So be sure an app is created by
the proper company or developer, has good reviews, and has the
expected number of downloads (for example, a fake version of
Be careful about USBs WhatsApp might only have a few thousand downloads, but the
real version has over 5 billion). Pay attention to the permissions
Be cautious when opening files that are sent to you as
that your apps request. If they seem excessive (like a calculator
attachments, through download links, or by any other means.
requiring access to your camera or Angry Birds asking for access
Also think twice before inserting removable media like USB
to your location, for example) deny the request or uninstall the
sticks, flash memory cards, DVDs and CDs into your computer,
app. Uninstalling apps that you no longer use can also help
as they can be a vector for malware. USBs that have been
protect your smartphone or tablet. Developers sometimes sell
shared for a while are very likely to have viruses on them.
ownership of their apps to other people. These new owners may
For alternative options to share files securely across your
try to make money by adding malicious code.
organization, take a look at the File Sharing Section of the
Handbook.
One very secure option which requires a bit of technical you to start with a clean slate each time you restart
skill to set up is the Tails operating system. This portable your computer. Tails also has a persistence mode, which
operating system is free to use and you can boot it allows you to save important files and settings across
up straight from a USB, bypassing the need to rely on multiple sessions if desired.
licensed Windows or Mac operating systems. Tails is
also a good option for those at extremely high risk, Another option for a free, secure operating system
as it incorporates a wide range of privacy-enhancing is Qubes OS. While not the simplest option for non-
features. These features include the integration of Tor technical users, Qubes is designed to limit the threat
(discussed below) to secure your web traffic, and the of malware and is another option to consider for more
complete erasure of memory every time you shut down advanced and high-risk users in your organization,
the operating system. These features essentially allow especially if licensing costs are a challenge.
30 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
o Train staff on the risks of malware and the best practices to avoid it.
• Provide policies about connecting external devices, clicking on links, downloading
files and apps, and checking software and app permissions.
o Mandate that devices, software, and applications are kept fully updated.
• Turn on automatic updates where possible.
o Ensure all devices are using licensed software.
• If the cost is prohibitive, switch to a no-cost alternative.
o Require password protection of all organizational devices, including personal
mobile devices which are used for work-related communications.
o Enable full-disk encryption on devices.
o Frequently remind staff to keep their devices physically secure - and manage your
office security with appropriate locks and ways to secure computers.
o Do not share files using USBs or plug USBs into your computers.
• Use alternative secure file sharing options instead.
Phishing is the most common and effective messaging apps like WhatsApp, social media messages or posts,
or phone calls (often referred to as voice phishing or “vishing”).
attack on organizations around the world. The The phishing messages may try to get you to type sensitive
technique is used by the most sophisticated information (like passwords) into a fake website in order to
nation-state militaries as well as petty gain access to an account, ask you to share private information
(like a credit card number) via voice or text, or convince you to
fraudsters. download malware (malicious software) that can infect your
device. For a non-technical example, every day millions of
Phishing, put simply, is where an adversary attempts to trick people get fake automated phone calls telling them that their
you into sharing information that could be used against you bank account was compromised or that their identity has been
or your organization. Phishing can happen via emails, text stolen - all of which are designed to trick the unaware into
messages/SMS (often referred to as SMS phishing or “smishing”), sharing sensitive information.
32 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Sophisticated, personalized phishing attacks target civil fake Google email login page (shown in middle) that
society groups around the world every day. was used to steal account credentials. If victims provided
credentials to the fake page, their accounts would be
One example of such an attack is highlighted in The easily compromised. After providing their username and
Citizen Lab’s 2018 report, Spying on a Budget: Inside password to the fake site, victims would be redirected
a Phishing Operation with Targets in the Tibetan to an image (shown at right) that shows delegates in a
Community. This very inexpensive and simple - yet Tibetan meeting. The image was included as a decoy
incredibly effective - phishing attack was aimed at to make the phishing targets believe they had actually
Tibetan human rights defenders and other activists. The signed in to their real Google account and reduce any
attack started with a phishing email (shown at left) from possible suspicions about the true malicious nature of
a standard Gmail address that contained only an image the email.
file link. When clicked, the link brought the target to a
Beware of attachments
Attachments can carry malware and viruses, and commonly onto your computer. This works well for word documents, PDFs,
accompany phishing emails. The best way to avoid malware and even slideshow presentations. If you need to edit the
from attachments is to never download them. As a rule, do not document, consider opening the file in a cloud program like
open any attachments immediately, especially if they come Google Drive and converting the file to a Google Doc or Google
from people you do not know. If possible, ask the person that Slides.
sent you the document to copy-paste the text in an email or to
share the document via a service like Google Drive or Microsoft If you use Outlook, you can similarly preview attachments
OneDrive, which have built-in virus scanning of most documents without downloading them from the Outlook web client. If you
uploaded to their platforms. Build an organizational culture need to edit the attachment, consider opening it in OneDrive if
where attachments are discouraged. that’s available to you. If you use Yahoo Mail, the same concept
If you absolutely have to open the attachment, it should only applies. Do not download attachments, but rather preview them
be opened in a safe environment (see Advanced section below) from within the web browser.
where potential malware cannot be deployed to your device.
Regardless of what tools you have at your disposal, the best
If you use Gmail and receive an attachment in an email, instead approach is simply to never download attachments that you
of downloading it and opening it on your computer, simply click do not know or trust, and regardless of how important an
on the attached file and read it in “preview” within your browser. attachment might seem, never open something with a file type
This step allows you to view the text and contents of a file you do not recognize or have no intention of ever using.
without downloading it or allowing it to load possible malware
If your organization uses enterprise Microsoft 365 for Organizations can use this technology to block staff
email and other applications, your domain administrator from accidentally accessing or interacting with malicious
should configure the Safe Attachments policy to protect content, providing an additional layer of protection
against dangerous attachments. If using enterprise against phishing. New services like Cloudflare’s Gateway
Google Workspace (formerly known as GSuite), there provide such capabilities to organizations without
is a similarly effective option that your administrator requiring large sums of money (Gateway, for example, is
should configure called Google Security Sandbox. More free for up to 50 users). Additional free tools, including
advanced individual users can consider setting up Quad9 from the Global Cyber Alliance Toolkit, will help
sophisticated sandbox programs, such as Dangerzone or, block you from accessing known sites that have viruses
for those with the Pro or Enterprise version of Windows or other malware and can be implemented in less than
10, Windows Sandbox. Another advanced option to five minutes.
consider implementing across your organization is a
secure domain name system (DNS) filtering service.
34 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Phishing
o Regularly train staff on what phishing is and how to spot it and defend against it,
including phishing on text messages, messaging apps, and phone calls, not just
email.
o Frequently remind staff of best practices such as:
• Do not download unknown or potentially suspicious attachments.
• Check the URL of a link before you click. Do not click unknown or potentially
suspicious links.
• Do not provide sensitive or private information via email, text, or phone call to
unknown or unconfirmed addresses or people.
o Encourage reporting of phishing.
• Establish a reporting mechanism and point-person for phishing within your
organization.
• Reward reporting, and do not punish failure.
36 CyberSecurity Handbook
Communicating
and Storing Data
Securely
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
37
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
To make the best decisions for your One of the most important elements of communications
security relates to keeping private communications private -
organization about how to communicate, it is which in the modern era is largely taken care of by encryption.
essential to understand the different types of Without proper encryption, internal communications could be
protection that our communications can have, seen by any number of adversaries. Insecure communications
can expose sensitive or embarassing information and messages,
and why such protection is important. reveal passwords or other private data, and possibly put your
staff and organization at risk depending upon the nature of your
communications and content that you share.
Thousands of democracy and human rights activists and report, phone recordings and other unencrypted
organizations rely on secure communication channels communications were intercepted by the government
every day to maintain the confidentiality of conversations and used in court against prominent opposition
in challenging political environments. Without such politicians and activists, many of whom spent years in
security practices, sensitive messages can be intercepted prison. In 2020, another swell of post-election protests
and used by authorities to target activists and break up in Belarus saw thousands of protestors adopt user-
protests. One prominent and well-documented example friendly, secure messaging apps that were not as readily
of this occurred in the aftermath of the 2010 elections available just ten years prior to protect their sensitive
in Belarus. As detailed in this Amnesty International communications.
38 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Unencrypted Messaging
Without any encryption, everyone involved in relaying
the message, and anyone who can sneak a peak as it
goes by, can read its content. This might not matter
much if all you are saying is “hello”, but it could be a big
deal if you are communicating something more private
or sensitive that you do not want your telecom, ISP, an
unfriendly government, or any other adversary to see.
Because of this, it is essential to avoid using unencrypted
tools to send any sensitive messages (and ideally any
messages at all.) Keep in mind that some of the most
popular communication methods - such as SMS and
phone calls - practically operate without any encryption
(like in this image).
As you can see in the image above, a smartphone sends and anyone who can sneak a peek as it goes by can read its
a green, unencrypted text message (“hello”) to another content. This might not matter much if all you are saying is
smartphone on the far right. Along the way, a cellphone “hello,” but it could be a big deal if you are communicating
tower (or in the case of something sent over the internet, something more private or sensitive that you do not want
your internet service provider, known as an ISP) passes your telecom, ISP, an unfriendly government, or any other
the message along to company servers. From there it hops adversary to see. Because of this, it is essential to avoid using
through the network to another cellphone tower, which can unencrypted tools to send any sensitive messages (and ideally
see the unencrypted “hello” message, and is finally then any messages at all.) Keep in mind that some of the most
routed to the destination. It is important to note that without popular communication methods - such as SMS and phone
any encryption, everyone involved in relaying the message, calls - practically operate without any encryption (like in the
image above).
There are two ways to encrypt data as it moves: transport-layer encryption and end-to-end encryption. The type of encryption a service
provider supports is important to know as your organization makes choices to adopt more secure communications practices and
systems. Such differences are described well by the Surveillance Self Defense Guide which is adapted again here:
Transport-layer Encryption
Transport-layer encryption, also known as transport layer
security (TLS), protects messages as they travel from your
device to the messaging app/service’s servers and from
there to your recipient’s device. This protects them from
the prying eyes of hackers sitting on your network or
your internet or telecommunications service providers.
However, in the middle, your messaging/email service
provider, the website you are browsing, or the app you
are using can see unencrypted copies of your messages.
Because your messages can be seen by (and are often
stored on) company servers, they may be vulnerable
to law enforcement requests or theft if the company’s
servers are compromised.
The image above shows an example of transport-layer are able to decrypt the message, read the contents, decide where
encryption. On the left, a smartphone sends a green, unencrypted to send it, re-encrypt it, and send it along to the next cellphone
message: “Hello.” That message is encrypted and then passed tower towards its destination. At the end, the other smartphone
along to a cellphone tower. In the middle, the company servers receives the encrypted message, and decrypts it to read “Hello.”
End-to-End Encryption
End-to-end encryption protects messages in transit
all the way from sender to receiver. It ensures that
information is turned into a secret message by its
original sender (the first “end”) and decoded only by
its final recipient (the second “end”). No one, including
the app or service you are using, can “listen in” and
eavesdrop on your activity.
The image above shows an example of end-to-end encryption. smartphone receives the encrypted message, and decrypts
On the left, a smart phone sends a green, unencrypted it to read “Hello.” Unlike transport-layer encryption, your ISP
message: “Hello.” That message is encrypted, and then passed or messaging host is not able to decrypt the message. Only
along to a cellphone tower and then to the app/service’s the endpoints (the original devices sending and receiving
servers, which cannot read the contents, but will pass the encrypted messages) have the keys to decrypt and read the
secret message along to its destination. At the end, the other message.
40 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
• Signal
FILE SHARING • Keybase / Keybase Teams
• OnionShare + an end-to-end encrypted messaging app like
Signal
Even a tiny sample of metadata can provide an intimate lens into your organization’s activities. Let us take a look at how revealing
metadata can actually be to the hackers, government agencies, and companies that collect it:
They know you called a They know multiple staff They know you got an email They know you received an
journalist and spoke with within your organization from a COVID testing service, email from a local human
them for an hour before that messaged a prominent local then called your doctor, then rights advocacy group with
journalist published a story digital security trainer. But visited the World Health the subject line “Tell the
with an anonymous quote. the topic of the messages Organization’s website in the Government: Stop Abusing
However, they do not know remains a secret. same hour. However, they do your Power”. But the content
what you talked about. not know what was in the of the email is invisible to
email or what you talked them.
about on the phone.
42 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Metadata is not protected by the encryption provided by most staff, you can enforce best practices like strong passwords and
message services. If you are sending a message on WhatsApp, 2FA on any accounts your organization manages. If, according
for example, keep in mind that while the contents of your to your analysis above, end-to-end encryption is necessary
message are end-to-end encrypted, it is still possible for others for your email, both Protonmail and Tutanota offer plans for
to know who you are messaging, how frequently, and, with organizations. If transport-layer encryption is adequate for your
phone calls, for how long. As a result, you should keep in mind organization’s email, options like Google Workspace (Gmail) or
what risks exist (if any) if certain adversaries are able to find Microsoft 365 (Outlook) can be useful.
out who your organization talks to, when you talked to them,
and (in the case of email) the general subject lines of your
organization’s communications. CAN WE REALLY TRUST
One of the reasons that Signal is so highly recommended is WHATSAPP?
that, in addition to providing end-to-end encryption, it has
introduced features and made commitments to reduce the WhatsApp is a popular choice for secure messaging, and can be
amount of metadata that it records and stores. For instance, a good option given its ubiquity. Some people are concerned
Signal’s Sealed Sender feature encrypts the metadata about that it is owned and controlled by Facebook, which has been
who is talking to whom, so that Signal only knows the recipient working to integrate it with its other systems. People are also
of a message but not the sender. By default this feature only concerned about the amount of metadata (i.e. information
works when communicating with existing contacts or profiles about with whom you communicate and when) that WhatsApp
(people) with whom you have already communicated or whom collects. If you choose to use WhatsApp as a secure messaging
you have stored in your contacts list. However you can enable option, be sure to read the above section on metadata. There
this “Sealed Sender” setting to “Allow from anyone” if it is are also a few settings that you need to ensure are properly
important for you to eliminate such metadata across all Signal configured. Most critically, be sure to turn off cloud backups,
conversations, even those with people unknown to you. or, at the very least, enable WhatsApp’s new end-to-end
encrypted backups feature using a 64 digit encryption key or
long, random, and unique passcode saved in a secure place
WHAT ABOUT EMAIL? (like your password manager). Also be sure to show security
notifications and verify security codes. You can find simple
Most email providers, for example Gmail, Microsoft Outlook, and how-to guides for configuring these settings for Android phones
Yahoo Mail, employ transport-layer encryption. So if you must here and iPhones here. If your staff *and those with whom you
communicate sensitive content using email and are worried all communicate* do not properly configure these options, then
that your email provider could be legally required to provide you should not consider WhatsApp to be a good option for
information about your communications to a government or sensitive communications that require end-to-end encryption.
another adversary, you may want to consider using an end-to- Signal still remains the best option for such end-to-end
end encrypted email option. Keep in mind, however, that even encrypted messaging needs given its secure default settings
end-to-end encrypted email options leave something to be and protection of metadata.
desired from a security perspective, for example, not encrypting
subject lines of emails and not protecting metadata. If you need
to communicate particularly sensitive information, email is not WHAT ABOUT TEXTING?
the best option. Instead opt for secure messaging options like
Signal. Basic text messages are highly insecure (standard SMS is
effectively unencrypted), and should be avoided for anything
If your organization does continue to use email, it is critical that is not meant for public knowledge. While Apple’s iPhone-
to adopt an organization-wide system. This helps you limit to-iPhone messages (known as iMessages) are end-to-end
the common risks that arise when staff use personal email encrypted, if a non-iPhone is in the conversation the messages
addresses for their work, such as poor account security practices. are not secured. It is best to be safe and avoid text messages for
For example, by providing organization-issued email accounts to anything remotely sensitive, private, or confidential.
THEM TO DOWNLOAD A NEW Signal, which is widely considered to be the best user-friendly
option for secure messaging and one-to-one calls, be sure to set
APP TO COMMUNICATE WITH a strong pin. Use at least six digits, and not something easy-
to-guess like your birth date. For more tips on how to properly
US? configure Signal and WhatsApp, you can check out the tool
guides for both developed by EFF in their Surveillance Self-
Defense Guide.
Sometimes there is a tradeoff between security and
convenience, but a little extra effort is worth it for sensitive
communications. Set a good example for your contacts. If you
have to use other less secure systems, be very conscious of
what you are saying. Avoid discussion of sensitive topics. For
some organizations, they may use one system for general
chatting and another with leadership for the most confidential
discussions. Of course, it is simplest if everything is just
automatically encrypted all the time - nothing to remember or
think about.
44 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
If this option does not work for your organization, you can
consider using a popular commercial option like Webex or Zoom
with end-to-end encryption enabled. Webex has long allowed
for end-to-end encryption; however, this option is not turned
on by default and requires participants to download Webex
to join your meeting. To get the end-to-end encrypted option
for your Webex account you must open a Webex support case
and follow these instructions to ensure end-to-end encryption
is configured. Only the host of the meeting needs to enable
end-to-end encryption. If they do so, the entire meeting will be
46 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
• Google Hangouts
• Slack
• Microsoft Teams
TEXT MESSAGING • Mattermost
(INDIVIDUAL OR GROUP) • Line
• KaKao Talk
• Telegram
• Jitsi Meet
• Google Meet
GROUP CONFERENCING, • Microsoft Teams
AUDIO AND VIDEO • Webex
CALLS • GotoMeeting
• Zoom
• Google Drive
• Microsoft Sharepoint
FILE SHARING • Dropbox
• Slack
• Microsoft Teams
If you are looking for a secure file sharing option for the Handbook, but for the purposes of file sharing within
your organization that is not directly embedded in a your organization, keep OnionShare in mind as a safer
messaging platform (or perhaps you are running into alternative to sharing large files on USBs around the
file size limits when sharing large documents), consider office if you do not have a trusted Cloud provider option.
OnionShare. OnionShare is an open source tool that
allows you to securely and anonymously share a file of If your organization is already investing in a password
any size. It works by having the sender download the manager, as described in this Handbook’s section
OnionShare app (available on Mac, Windows and Linux on passwords, and chooses Bitwarden’s premium or
computers), uploading the file(s) they wish to share, and teams account, the Bitwarden Send feature is another
generating a unique link. This link, which can only be option for secure file sharing. This feature allows users
processed in Tor Browser, can then be shared via any to create secure links to share encrypted files via any
secure messaging channel (Signal, for instance) to the secure messaging channel (such as Signal). File size is
intended recipient. The recipient can then open the limited to 100MB, but Bitwarden Send allows you to set
link in Tor Browser and download the file(s) to their an expiration date on links, password protect access to
computer. Keep in mind, the files are only as secure as shared files, and limit the number of times that your link
the method through which you share the link. Tor will be can be opened.
explained in more detail in a later “advanced” section of
48 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
o Require the use of trusted end-to-end encrypted messaging services for your
organization’s sensitive communications (and ideally for all communications.)
• Take time to explain to staff and external partners why secure communications are
so important; this will enhance the success of your plan.
o Set a policy on how long you will retain messages and when/if the organization will
use “disappearing” communications.
o Ensure proper settings are in place for secure communications apps, including:
• Ensure all staff are paying attention to security notifications and, if using
WhatsApp, not backing up chats.
• If using an app where end-to-end encryption is not enabled by default (e.g. Zoom
or Webex), ensure the required users have turned on the proper settings at the
outset of any call or meeting.
o Use cloud-based email services such as Office 365 or Gmail for your organization.
• Do not attempt to host your own email server.
• Do not allow staff to use personal email accounts for work.
o Frequently remind the organization about security best practices related to group
messaging and metadata.
• Be aware of who is included in group messages,chats, and email threads.
For most civil society organizations, one of the local servers. While it is possible to secure data on all these
devices, it is very hard to do so successfully without spending a
most important decisions to make is where to lot of money and hiring significant IT staff.
store their data.
When selecting a tool or service to store your data, ensure you
Is it “more secure” to store data on staff computers, on a local trust the company or group behind it. A quick google search
server, on external storage devices, or in the cloud? In 99 and checking with digital security experts can go a long way
percent of situations, the easiest and most secure option is to in helping you verify the trustworthiness of a potential tech
keep data stored in trusted cloud storage services. Perhaps the vendor. Some questions to keep in mind include: Do they sell
most common examples include Microsoft 365 and Google or share your private data? Do they have appropriate security
Drive. Without a comprehensive cloud storage plan, it is likely resources on staff? Do they offer security features (like 2FA) to
that your organization’s data is stored in a variety of places - help you protect your account?
including staff computers, external hard drives, and even a few
The advent of affordable (sometimes free) cloud-based the hackers to gain access to organizational email
data storage has made life easier (and more secure) accounts, install additional malware on the victim’s
for many resource-limited civil society organizations. servers and connected systems, and ultimately extract
Unfortunately, many still attempt to host their own sensitive data. While Microsoft quickly published
servers with relatively limited IT budget, staffing, and an update and instructions to identify and remove
support. In March 2021, the threat of such organizational potential intruders, once the hacks became public,
infrastructure became real for tens of thousands many organizations lacked the IT capacity to quickly
of organizations across the world when a Chinese apply such updates, leaving them exposed for extended
government-affiliated threat actor, called Hafnium, periods of time. The scope and impact of this global hack
unleashed a global cybersecurity catastrophe with a reveals the danger of civic organizations choosing to
sophisticated attack on self-hosted Microsoft Exchange self-host email servers and other types of sensitive data.,
servers. The attack compromised local servers, enabling particularly without significant investment in dedicated
cybersecurity staff.
50 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
access to your data. You could spill coffee on your computer how a cloud storage solution can comply with any local
and destroy the hard drive. Staff computers could be hacked requirements. Many cloud storage providers, including Google
and all local files locked with ransomware. Someone could and Microsoft, now offer options that allow some customers to
lose a device on the train or have it stolen along with their choose the geographic location of their data in the cloud, for
briefcase. As mentioned above, this is another reason why example.
using cloud storage can be a benefit, because it is not tied to a
specific device that can be infected, lost, or stolen. Macs come
with built-in backup software called Time Machine which is
used together with an external storage device; for Windows Enhancing the Security
devices, File History offers similar functionality. iPhones and
Androids can automatically back up their most important of Organizational Cloud
contents to the cloud if enabled under your phone’s settings.
If your organization is using cloud storage (like Google Drive) Accounts
the risk of Google being taken down or your data destroyed
in a disaster is quite low, but human error (like accidentally If your organization chooses to set up a domain in
deleting important files) is still a possibility. Exploring a cloud Google Workspace or Microsoft 365, be aware that
backup solution like Backupify or SpinOne Backup may be both companies offer higher levels of security (for
worthwhile. If data is stored on a local server and/or local free in many cases) to civil society organizations.
devices, a secure backup becomes even more critical. You can Google’s Advanced Protection Program and
backup your organization’s data to an external hard drive, but Microsoft’s AccountGuard provide even more
be sure to encrypt that hard drive with a strong password. robust security to all of your organization’s
Time Machine can encrypt hard drives for you, or you can use cloud accounts, and help you greatly reduce the
trusted encryption tools for the whole hard drive like VeraCrypt likelihood of effective phishing and account
or BitLocker. Be sure to keep any backup devices in a separate compromise. If you believe that your organization
location from your other devices and files. Remember, a fire that qualifies and are interested in enrolling your
destroys both your computers and their backups means you organization in either plan, visit the websites
do not have backups at all. Consider keeping a copy in a very linked above or contact cyberhandbook@ndi.org
secure location, such as a safe deposit box. for further assistance.
52 CyberSecurity Handbook
Staying Safe on
the Internet
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
53
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
When using the internet on your phone or It is important to keep sensitive information – like usernames
and passwords that you type into a website, your social media
computer, your activity can say quite a bit about posts, or in certain contexts even the names of the websites
you and your organization. that you visit – out of the view of prying eyes. Having your
access to certain sites or apps blocked or restricted is also a
common concern. These two problems – internet surveillance
and internet censorship – go hand in hand, and the strategies to
reduce their impacts are similar.
Browsing Securely
USING HTTPS
The most important step to limiting an adversary’s ability to numbers, or messages), and the details of the site and pages
surveil your organization online is to minimize the amount you are visiting are all exposed. This means that (1) any hackers
of information available about you and your colleagues’ on your network, (2) your network administrator, (3) your ISP
internet activity. Always make sure you are connecting to and any entity they might share data with (like governmental
websites securely: make sure the URL (location) starts with authorities), (4) the ISP of the site you are visiting and any
“https’’ and shows a small lock icon in the address bar of your entity they might share data with, and of course (5) the site you
browser. When you browse the internet without encryption, are visiting itself all have access to quite a bit of potentially
the information you type into a site (like passwords, account sensitive information.
54 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Governments are increasingly using their influence actors across the globe are using increasingly accessible
and authority over internet service providers and other surveillance technology to monitor the activity of
local internet infrastructure to prevent individuals and citizens online. For instance, according to Freedom
civil society groups from accessing information on House’s Freedom on the Net 2020 report, the Ugandan
the internet. In some cases, such internet disruptions government partnered with the Chinese tech company
are aimed at taking down key communications and Huawei to surveil opposition figures and civic activists in
information sharing platforms including social media the run up to and aftermath of a contentious presidential
and news sites. For instance, in response to protests election in the country.
resulting from a military coup, the Myanmar military
directed mobile operators to temporarily shut down The increasing frequency of such attacks on access to
the entire mobile data network in the country. This and freedom of information online highlight just how
came shortly after more targeted blocking of Facebook, essential it is for civil society groups to understand the
Twitter, and Instagram. In addition to blocking internet risks of operating on the internet and develop plans for
access and websites, governments and other threat how to connect when connectivity is impacted.
Let’s take a real-world example of what browsing without encryption looks like:
Adapted from the Totem Project’s How the Internet Works (CC–BY–NC–SA)
When browsing without encryption, all of your data is exposed. As shown above, an adversary can see where you are, that you are
going to news.com, looking specifically at the page on protests in your country, and see your password that you share to log in to the
site itself. Such information in the wrong hands not only exposes your account but also gives potential adversaries a good idea of
what you might be doing or thinking about.
56 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Using HTTPS (the “s” stands for secure) means that encryption is in place. This offers you much more protection.
Let’s take a look at what browsing with HTTPS (aka with encryption) looks like:
Adapted from the Totem Project’s How the Internet Works (CC–BY–NC–SA)
With HTTPS in place, a potential adversary can no longer see ensure you are using HTTPS at all times, or if you use Firefox,
your password or other sensitive information that you might turn on HTTPS only mode in the browser.
share to a website. They can, however, still see what domains If you are presented with a warning from your browser that
(for example, news.com) you are visiting. And while HTTPS also a website might be insecure, do not ignore it. Something
encrypts information about the individual pages within a site is wrong. It might be benign – like the site has an expired
(for example, website.com/protests) that you visit, sophisticated security certificate – or the site might be maliciously spoofed
adversaries can still see this information by inspecting your or faked. Either way, it is important to heed the warning and
internet traffic. With HTTPS in place, an adversary might know not proceed to the site. HTTPS is essential and encrypted DNS
that you are going to news.com, but they would not be able provides some extra protection against snooping and site
to see your password, and it would be more difficult (but not blocking, but if your organization is concerned about highly
impossible) for them to see that you are looking up information targeted surveillance regarding your online activities and faces
about protests (to use this one example). That is an important sophisticated censorship online (such as websites and apps
difference. Always check that HTTPS is in place before being blocked), you might want to use a trusted virtual private
navigating through a website or entering sensitive information. network (VPN).
You can also use the HTTPS Everywhere browser extension to
If you want to make it more difficult (but not impossible) default. Users of Chrome or Edge browsers can turn on
for an ISP to know the details of the websites that you encrypted DNS through the browser’s advanced security
visit, you can use encrypted DNS. settings by turning on “use secure DNS” and selecting
“With: Cloudflare (1.1.1.1)” or the provider of their choice.
If you are wondering, DNS stands for Domain Name
System. It is essentially the phonebook of the internet, Cloudflare’s 1.1.1.1 with WARP encrypts your DNS and
translating human-friendly domain names (like ndi.org) encrypts your browsing data - providing a service similar
to web-friendly internet protocol (IP) addresses. This to a traditional VPN. While WARP does not fully protect
allows people to use web browsers to easily look up and your location from all websites that you visit, it is an
load internet resources and visit websites. By default easy-to-use feature that can help your organization’s
though, DNS is not encrypted. staff take advantage of encrypted DNS and additional
protection from your ISP in situations where a full VPN
To use encrypted DNS and add a bit of protection to is either not functional or required given the threat
your internet traffic at the same time, one easy option context. In the 1.1.1.1 with WARP advanced DNS settings,
is to download and turn on Cloudflare’s 1.1.1.1 app staff can also turn on 1.1.1.1 for Families to provide
on your computer and mobile device. Other encrypted additional protection against malware while accessing
DNS options, including Google’s 8.8.8.8, are available the internet.
but require more technical steps to configure. If you
use Firefox browser, encrypted DNS is now turned on by
58 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
WHAT IS A VPN?
A VPN is essentially a tunnel that protects against the surveillance and blocking of your internet traffic from hackers on your
network, your network administrator, your ISP, and anyone they might share data with. It is still essential to use HTTPS and to ensure
that you trust the VPN that your organization uses. Here is an example of what browsing with a VPN looks like:
Adapted from the Totem Project’s How the Internet Works (CC–BY–NC–SA)
To describe VPNs in more depth, this section references EFF’s Why should you not just use a free VPN? The short answer is
Surveillance Self-Defense Guide: that most free VPNs, including those that come pre-installed on
some smartphones, come with a big catch. Like all businesses
Traditional VPNs are designed to disguise your actual network and service providers, VPNs have to sustain themselves
IP address and create an encrypted tunnel for the internet somehow. If the VPN does not sell its service, how is it keeping
traffic between your computer (or phone or any networked its business afloat? Does it solicit donations? Does it charge for
“smart” device) and the VPN’s server. Because traffic in the premium services? Is it supported by charitable organizations
tunnel is encrypted and sent to your VPN, it is much harder for or funders? Unfortunately, many free VPNs make their money by
third parties like ISPs or hackers on public Wi-Fi to monitor, collecting and then selling your data.
modify, or block your traffic. After going through the tunnel from
you to the VPN, your traffic then leaves the VPN to its ultimate A VPN provider that does not collect data in the first place is
destination, masking your original IP address. This helps to the best choice. If the data is not collected, it cannot be sold
disguise your physical location for anyone looking at traffic or handed over to a government if requested. When looking
after it leaves the VPN. This offers you more privacy and security, through a VPN provider’s privacy policy, see whether the VPN
but using a VPN does not make you completely anonymous actually collects user data. If it does not explicitly state that
online: your traffic is still visible to the operator of the VPN. Your user connection data is not being logged, chances are that it is.
ISP will also know that you are using a VPN, which might raise Even if a company claims not to log connection data, this may
your risk profile. not always be a guarantee of good behavior.
This means that choosing a trustworthy VPN provider is It is worthwhile to do a search on the company behind the
essential. In some places like Iran, hostile governments have VPN. Is it endorsed by independent security professionals?
actually set up their own VPNs to be able to track what citizens Does the VPN have news articles written about it? Has it ever
are doing. To find the VPN that is right for your organization and been caught misleading or lying to its customers? If the VPN
its staff, you can evaluate VPNs based on their business model was established by people known in the information security
and reputation, what data they do or do not collect, and of community, it is more likely to be trustworthy. Be skeptical
course the security of the tool itself. of a VPN offering a service that no one wants to stake their
reputation on, or one that is run by a company that no one
knows about.
60 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
If using a VPN makes sense for your organization, a couple Although most modern VPNs have improved in regard to
of trustworthy options include TunnelBear and ProtonVPN. performance and speed, it is worth keeping in mind that using a
Another option is to configure your own server using Jigsaw’s VPN might slow down your browsing speed if you are on a very
Outline, where there is not a company managing your account, low-bandwidth network, suffer from high latency or network
but in return you have to set up your own server. If your delays, or experience intermittent internet outages. If you are on
organization is a bit larger, you may want to consider a business a faster network, you should default to using a VPN all the time.
VPN that provides account management features such as
TunnelBear’s Teams plan. For certain qualifying organizations in If you do recommend that staff use a VPN, it is also important
the civil society and human rights space, TunnelBear provides to ensure that people keep the VPN turned on. It might sound
credits for free use of their VPN (which usually costs about obvious, but a VPN that is installed but not running does not
$3 per month). If you believe that your organization qualifies provide any protection.
and are interested, contact cyberhandbook@ndi.org for more
information.
In addition to VPNs, you may have heard of Tor as browser. It operates like any normal browser except
another tool for more securely using the internet. It is that it routes your traffic through the Tor network. You
important to understand what both are, why you might can download the Tor browser on Windows, Mac, Linux
use one or the other, and how both might impact your or Android devices. Keep in mind that when using Tor
organization. Browser, you are only protecting the information you
access while in the browser. It does not provide any
Tor is a protocol for transmitting data anonymously protection to other apps or downloaded files that you
over the internet by routing messages or data through might open separately on your device. Also keep in mind
a decentralized network. You can learn more about how that Tor does not encrypt your traffic, so - much like when
Tor works here, but in short, it routes your traffic through using a VPN - it is still essential to use best practices like
multiple points along the way to its destination so that HTTPS when browsing.
no single point has enough information to expose who
you are and what you are doing online at once. If you would like to extend the anonymity protections
of Tor to your entire computer, more tech savvy users
Tor is different from a VPN in a few ways. Most can install Tor as a systemwide internet connection, or
fundamentally, it differs because it does not rely on trust consider using the Tails operating system, which routes
of any one specific point (like a VPN provider). all traffic through Tor by default. Android users can also
use the Orbot app to run Tor for all internet traffic and
This graphic, developed by EFF, shows the difference apps on their device. Regardless of how you use Tor, it
between a traditional VPN and Tor. is important to know that when using it, your internet
service provider cannot see what websites you are
The easiest way to use Tor is through the Tor web visiting but they *can* see that you are using Tor itself.
Much like when using a VPN, this could raise the risk that is properly used by all staff at all times is easiest,
profile of your organization considerably, because Tor most convenient, and in the age of greater VPN usage
is not a very common tool and therefore stands out to globally, less likely to raise red flags. However if you
adversaries that may be monitoring your internet traffic. either cannot afford a trustworthy VPN or operate in
an environment where VPNs are routinely blocked, Tor
So, should your organization use Tor? The answer: it can be a good option, if legal, for limiting the impact of
depends. For most at-risk organizations a trusted VPN surveillance and avoiding censorship online.
62 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Your organization can reveal a lot – and Whether it is Facebook, Twitter, Instagram, YouTube or region-
specific social media sites such as VKontakte and Odnoklassniki,
sometimes more than it intends – by posting you should always think carefully about what you post, and
and commenting on social media. properly configure any privacy settings that may be available.
This is true not only for your organization’s official pages, but
also in some cases for staffs’ personal accounts and those of
their family and friends too.
Even low risk organizations can be targeted and accounts or successfully impersonate you online.
harassed on social media without proper security In addition to hacking accounts, civil society groups
policies in place. In this example from 2018, a non-profit and individual users in many countries are also facing
animal shelter lost thousands of dollars and alienated repercussions for content posted on social media. In
supporters after an unauthorized account administrator one example in Zambia from 2020, police arrested a
set up a fake fundraising effort, and fake accounts 15-year-old student for allegedly defaming the president
impersonating employees appeared on the platform. If in a Facebook post. The child, who posted under a
hackers will go to those lengths to make a few thousand pseudonym, was identified by the phone number used
dollars off of an animal shelter, you can imagine the to register the account and his internet protocol (IP)
damage sophisticated adversaries might be able to address.
inflict if they were to gain access to your organization’s
64 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
In addition to protecting your ability to access For social media pages, this means protecting those accounts
with strong, unique passwords and two-factor authentication.
the internet safely, it is also important to do For your website, this means protecting it against hacking and
what you can to ensure others can access your denial of service attacks. Distributed Denial of Service (DDoS)
organization’s websites or web properties. attacks are where a large group of computers simultaneously
drown your server in malicious traffic. If you are a civil society
organization or other non-profit organization, you can most
likely qualify for free DDoS protection - which makes it much
harder for an adversary to take your website down. A few
options include Cloudflare’s Project Galileo, Google’s Project
Shield, or eQualitie’s Deflect service.
Websites are hosted on computers - and those are using well-established cloud hosting providers such
vulnerable to hacking just like your own devices. If as Amazon Web Services (AWS), Microsoft Azure, or
possible, your organization should take advantage of Greenhost’s eclips.is, which provide enhanced security
existing hosting services like Wordpress.com, Wix, or options for hosted websites. Regardless of what tools
others that manage all the site security for you. If you you use to host your website, ensure that any accounts
are reading this handbook, your organization also likely used to access content editing and configuration
qualifies for free secure hosting of a Wordpress site by settings are protected with strong passwords and two
eQualitie through their eQPress Hosting service. This factor authentication.
is a great option for civic organizations with existing
Wordpress sites or if your organization is looking If your organization has the technical savvy to host its
to build a new site. If your website needs are more own website, you should consider choosing a so-called
complex, or if you need to host your website yourself, “static-site” or flat website. As opposed to dynamic
then be sure to focus on keeping your operating websites, these types of sites reduce the attack surface
system and web hosting software up to date, just for hackers and will make your website more attack
like you would for your personal computer. Consider resistant.
66 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
All these steps to protect web traffic from Do not forget the basics like using a strong password (not the
default password) on your WiFi router(s), ensuring that only
surveillance and censorship are important, authorized users have access to your network by frequently
but they are not a substitute for basic network changing the password, and enabling your wireless routers’
security in the office and at home. built-in firewall. Consider creating a guest network in your office
as well if you have visitors coming in and out of the building
who use the internet.
o Conduct regular training for staff on the importance of following basic web security
measures.
o Remind staff to always browse with HTTPS and encrypted DNS.
o Require staff to regularly restart their browsers to install updates.
o Encourage the use of privacy protecting browsers and extensions.
o If a VPN is appropriate given your organization’s context, choose a reputable one,
train staff on its use, and ensure it is consistently used.
o Develop and distribute a clear organizational policy on social media use.
o Enable privacy and security settings on all social media accounts.
o Understand the impacts of online harassment and be prepared to support staff who
are affected.
o Develop a list of local professionals, organizations, and law enforcement agencies
that you can connect staff to for legal, mental health, and technical assistance in
response to online harassment.
o Sign up for DDOS protection for your websites.
o Use a trusted, reliable web hosting provider.
o Use a strong password and a guest network for your office WiFi.
Protecting
Physical
Security
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
68 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
It is essential to keep your devices physically world. This includes hard-copy documents;
secure. Keep in mind that physical security your organization’s office or work spaces; and
goes beyond just devices, and should include of course you, your staff, and volunteers.
strategies to protect everything else in your
Unfortunately, physical attacks on civil society democracy and governance space. For instance, the
organizations are not uncommon, and often have offices of LGBT+ Rights Ghana, a civic organization that
significant implications for both physical and in early 2021 opened the country’s first community
information security. One common tactic taken by center for the local LGBTQI+ community, were threatened
adversaries to suppress the activity of CSOs includes to be burned down, and were eventually raided
raiding and closing offices - to both intimidate staff and closed by police. Such raids not only impact an
and in some cases to steal or confiscate information organization’s physical operations, but can damage staff’s
and tech equipment. Such threats often target minority sense of security as well.
and human rights groups and CSOs operating in the
An essential component of information trusted companies that do not have an incentive to hand
over data and information to a potential adversary.
security is the physical security of your
devices. If the risk of break-in or office raid is high, keep the
organization’s most sensitive data away from the office
In addition to mitigating the impact of a stolen device by - either by being stored safely in the cloud (as discussed
using lockscreens and passwords, implementing full disk- earlier) or by being physically moved to a less targeted
encryption, and turning on remote wipe features, you should location. If old devices have information still stored on them
also consider how to keep those devices from being stolen in but are no longer in use, consider wiping them - this guide
the first place. To make theft more difficult, be sure to install from Wirecutter is a great resource on how to do this for
strong locks (and rotate them whenever staff change) at the most modern devices. If wiping your devices is not possible,
office and/or home. In addition, consider buying a laptop you can physically destroy them too. The easiest, if not most
safe or lockable cabinet to keep devices protected overnight. environmentally sensitive, way to do that is to break up the
Security cameras have become much less expensive, with devices and their hard drives with a hammer. Sometimes
simple versions designed for home use available more the oldest solutions still work the best! Even before these
widely. Such camera or motion sensor systems around the technical steps, take a moment to create an inventory of all
premises can detect and hopefully deter physical break-ins the equipment in the organization. If you do not have a list
and theft. Look for a privacy-respecting option available of all your devices, it is harder to keep track of what might be
in your country, and be sure to select cameras provided by missing if one gets stolen.
If a full office security system is out of your Android devices at different points in the office to notify
organization’s budget and you’re particularly concerned you of and record any unexpected guests and unwanted
about privacy you can try a creative option like the intruders. The Haven App can also be useful to set up in
Guardian Project’s Haven App to notify you of potential a hotel room or apartment if you are at heightened risk.
office intrusion. Haven is a smartphone app that can turn A full security system is best, but if that’s out of reach
any Android phone into a motion, sound, vibration and and you’d like to learn more about how to use the Haven
light detector. You can set up the app on a few cheap app you can visit the project website.
70 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
It is likely that your organization has a lot of information that Are guests allowed inside the office? If so, ensure they do
is printed on paper, written in notebooks, or scribbled down not have access (or at least unattended access) to devices or
on Post-it notes. Some of this can be very sensitive: printouts sensitive hard-copy data. If it is a requirement or expectation
of budgets, lists of participants, sensitive letters from donors, that guests have internet access when they visit, you should set
and notes from private meetings. It is essential to think about up a “guest” network so that such guests do not have the ability
the security of this information as well. If you absolutely need to monitor your regular traffic. In general, only trusted personnel
to keep hard copies of sensitive information, ensure that it is should be able to access the network and network devices
stored safely in a locked cabinet or another safe place. Do not such as printers. It is also usually a good idea to require guest
keep any private or sensitive information (including passwords) registration so that you have a log of who has visited.
laying around on a desk or written up on a white board. If you
believe your organization to be at high risk of a break-in or raid, As you develop an office policy, the goal should be to allow only
keep highly sensitive information in a less targeted location. trusted people access to sensitive devices, documents, spaces,
To the extent possible, endeavor to dispose of unneeded hard- and systems.
copy information. Remember: if you do not have it, it cannot
be stolen. Set an organizational policy regarding ownership of
hard-copy notes, and be sure to collect any paper notes from SUPPORTING STAFF AND
staff if they decide to leave or are let go from the organization
(just like you would collect an organization-issued computer or VOLUNTEERS
phone). To get rid of sensitive paper, purchase a quality shredder.
A fun end-of-week activity can be taking a 15-minute break with Physical security threats to your organization can impact your
your staff to shred any leftover, sensitive print-outs or notes staff too. Similar to harassment on social media, these physical
from the prior week. security threats often disproportionately impact women and
marginalized communities. It is not just about broken windows
and stolen laptops. Intimidation, threats or instances of physical
THE OFFICE POLICY or sexual violence, domestic abuse, and fear of attack can have
a serious negative impact on the lives of staff. For organizations
Although for many the realities of “the office” have changed that work with or support politically active women in particular,
significantly since the beginning of the COVID-19 pandemic, NDI’s #Think10 Safety Planning Tool is a useful resource to
it is still important for your organization to set a clear policy provide those who might be at increased personal risk as a
regarding office access. Such a policy should address key result of their activity.
questions including who is allowed inside the office (and when),
who can access what office resources (like the WiFi network), The well-being of staff is obviously an important asset to them
and what to do about guests. as individuals, but it is also a crucial element to a healthy
and well-functioning organization. To that end, consider what
A simple yet important question to answer is who gets an additional resources you can provide to staff to keep them
office key. Only trusted staff should have keys, and locks should protected and, in the case of physical or digital attack, help
be changed when staff leave and/or on a semi-regular basis. them recover. As mentioned earlier in the Handbook, this means
During the day, any doors that are left unlocked should be in at a bare minimum developing a list of resources that you can
constant view of someone trusted in the organization. Also connect staff to for legal, medical, mental health, and technical
consider whether the organization has a trusted relationship assistance if needed. Once again PEN America’s Online Field
with your landlord or cleaning staff. Think about what Harassment Manual includes ideas for how organizations can
information or devices such people might have access to and support staff during and after crises, and Tactical Tech’s Holistic
ensure that is protected, particularly if you do not have that Security Manual includes relevant content on how organizations
often respond during times of intense threat.
When putting together a travel policy, keep in mind carefully about how you will securely share and store
what information might be exposed when you organize (if needed) personal information like passport details,
or book travel. This can be particularly important if you travel itineraries, and medical records. Tactical Tech’s
are organizing large events, trainings, or conferences Organizer Activity Book has a great worksheet to help
for which you are handling sensitive information your organization think through key questions related to
from a variety of staff, partners, or attendees. Think travel security, linked here.
72 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
74 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
So, you know the right things to do. You have Borrowing from Tactical Tech’s Holistic Security Guide, a good
place to start with an incident response plan is defining an
put the policies in place and trained everybody incident or an emergency in the context of your organization.
in the organization on all the best practices. Decide what an “emergency” is – i.e, the point at which we
Even with all this hard work, it is very likely that should begin to implement the actions and contingency
measures planned. This is important as sometimes it will be
something will eventually go wrong. unclear – if you imagine a scenario such as losing contact with
a colleague on a field mission; how long would you wait before
Stuff happens. When it does, it is essential to have an incident
declaring an emergency? One does not want to jump too early,
response plan in place. Incident response is a crucial, and
but waiting too long can in some circumstances be disastrous.
often underrated, part of your organization’s security plan
It is also important to think through any operations steps as
because it can be the difference between an attack destroying
well. Assign each person a clear role that they are aware of and
your organization’s reputation or being an unpleasant bump
have agreed to in advance – this will reduce disorganization
in the road. Keep in mind that you can only respond to an
and panic in the event of an incident. In the case of each threat,
incident if you know about it. Having a strong organizational
consider the different roles that you may have to assume and
security culture and encouraging staff to report problems is
the practicalities involved in responding to an emergency.
very important. This is why it is better to reward good security
Within this important strategy for emergencies is the activation
behavior rather than punish security lapses or mistakes.
of a support network – a broad network of allies, which may
It is also important to express empathy and check on the
include friends and family, community, local allies, government
wellbeing of staff when they report an incident. You want staff
resources and national or international allies like NGOs and
to immediately report a clicked link in a phishing message, a
journalists. How can your allies support you? Should you contact
stolen phone, or a hacked social media account - not hesitate for
them in advance to verify that they will be willing to help you in
fear of retribution or lack of support. After all, incident response,
an emergency and let them know what you expect of them?
just like the mitigation strategies mentioned in other sections
of the Handbook, is an organization-wide effort.
When responding to an incident, effective communications
become increasingly important. Decide what the most secure
• What should you plan for? In short, anything that is
and effective means of communicating with each actor is in
somewhat likely to happen. That will look different for
different scenarios and identify a backup means. Be aware that
every organization, but common questions that an incident
for emergencies, it might be useful to have clear guidelines on
response plan will help answer include:
what to (and what not to) communicate, when to communicate,
• What do we do if our accounts or websites get hacked?
which channels to use to communicate, and with whom you
• What do we do if someone clicks on a phishing email or if
should communicate. Also consider the reputational impact of
a device is acting suspiciously?
an incident on your organization, and be prepared to respond
• What do we do if our emails or most sensitive documents
accordingly. Make sure that the organization’s communications
are stolen and leaked?
lead (in some organizations this might just be whoever
• What do we do if one of our employees is put in physical
manages the Facebook page or the Twitter account) is aware
danger or arrested? Or if they are struggling with stress
of the incident and can watch social media or other media for
and anxiety due to such threats?
potential impact. They should also be prepared to field possible
• What do we do if our office is damaged in a fire, flood, or
public or media inquiries about an incident if relevant. This is
natural disaster?
especially important for getting ahead of any potential negative
• What do we do if an employee’s computer or phone is lost
stories or reputational damage. While every incident and
or stolen?
context is different, honest and transparent communications
often help build trust in the aftermath of an incident.
The answers to these questions and others will differ by
organization, but it is important to think through them together
and clearly articulate and share a plan so that everyone in your
organization is prepared to take action immediately to limit the
damage.
Consider establishing an Early Alert and Response again decreased. It should also include actions to be
System. Such a system sounds fancy, but it is essentially taken after an incident in order to protect those involved
just a centralized document (electronic or otherwise) from further harm and help them to recover physically
to be opened in the event of an emergency. In the and emotionally. An Early Alert and Response System
document, you should record all the details about the can provide useful documentation for sharing with law
security indicators and incidents which have occurred on enforcement (if applicable), subsequent analysis of what
a timeline, provide a clear description of the actions and has happened, and guidance on how to improve your
sequence for the planned response, and indicate what prevention tactics and responses to threats in the future.
needs to be achieved to signify that the risk has once
In addition to these important incident response concepts, legal counsel if necessary, and make a plan for what you would
your organization should also prepare for any specific technical do in response. It is a good idea to make an agreement with this
response. In some cases a technical response can be managed trusted counsel to represent you and your interests if needed in
by internal IT staff or system administrators. For example, if the aftermath of an incident. As part of this legal preparation,
an email account appears to have been hacked, your account make sure that you understand the legal obligations of any
administrator should be prepared and able to shut down vendors or partners. Are they required to notify you in the
or disable the impacted account. Some technical incidents, case of their own data breach? What support (if any) are they
however, might require expertise that you do not have within required to provide you in the case of an incident? As you
your organization. For situations like these, it is important to develop contracts and agreements with external vendors, keep
identify a trusted list of external technical experts who can the possibility of a data breach or other incident in mind.
assist you in your incident response. In some cases, you may
want to pre-negotiate terms with service providers (such as While there is no one-size fits all approach to incident response,
your website host or an IT consultant) to ensure that they having clear operational, communications, technical, and legal
are available (and would not charge extra) for such technical plans in place is essential. As you put together your incident
incident response. response plan, we strongly encourage you to make use of some
excellent existing resources, designed to help civil society
Last but certainly not least, you should consider legal steps. organizations and other high-risk groups navigate incident
Understanding the legal protections you might have, as well as response. These resources include the Digital First Aid Kit
the legal obligations or consequences your organization might developed by RaReNet and CiviCERT, PEN America’s Online
face as a result of a data breach or other security incident, is Harassment Field Manual, the Belfer Center’s Cybersecurity
important. A first step can be to identify trusted legal counsel Campaign Playbook and Cyber Incident Communications Plan
that understands your country or locality’s specific laws and Template, and Access Now’s Digital Security Helpline.
regulations. Take time to review possible incidents with relevant
76 CyberSecurity Handbook
A Strong Foundation:
Building a Culture Communicating and Staying Safe on Protecting Physical What To Do When
Securing Accounts
of Security Storing Data Securely the Internet Security Things Go Wrong
and Devices
Incident Response
• Tactical Tech’s Holistic Security Manual ; Creative Commons Attribution-ShareAlike 4.0 International License
• Chapter 2.4 - Understanding and Cataloguing Our Information
• Chapter 1.5 - Communicating about Threats in Teams and Organizations
• Chapter 3.4 - Security in Groups and Organizations
• The Electronic Frontier Foundation’s Security Education Companion ; Creative Commons Attribution 3.0 US License
• Threat Modeling Activity Handout
• Freedom of the Press Foundation’s Phishing Prevention and Email Hygiene Guide ; Creative Commons Attribution
4.0 International License
• Freedom of the Press Foundation’s Locking Down Signal Guide ; Creative Commons Attribution 4.0 International
License
• Electronic Frontier Foundation’s Surveillance Self Defense (SSD) Guide ; Creative Commons Attribution 3.0 US
License
• What Should I Know About Encryption
• Communicating with Others
• Choosing the VPN That’s Right for You
• Frontline Defenders’ Guide to Secure Group Chat and Conferencing Tools
• Tactical Tech’s Data Detox Kit
• Let the Right One In: Make Your Passwords Stronger
• Strengthen Your Screen Locks
• Center for Democracy and Technology’s Elections Security Guide on Passwords ; Creative Commons Attribution 4.0
International License
• Center for Democracy and Technology’s Elections Security Guide on Two Factor Authentication ; Creative Commons
Attribution 4.0 International License
• Martin Shelton’s Two Factor Authentication for Beginners ; Creative Commons Attribution 4.0 International
License
• Tactical Tech and Frontline Defender’s Security in a Box ; Creative Commons Attribution-ShareAlike 3.0 Unported
License
• Protect your device from malware and phishing attacks
• Protect your information from physical threats
• SANS’ Ouch! Newsletter: Stop That Malware
• Apple’s Device and Data Access when Personal Safety is At Risk
• Global Cyber Alliance Cyber Hygiene for Mission-Based Organizations
78 CyberSecurity Handbook
Appendix B:
Security Plan Starter Kit
Use the following starter kit to take notes Be sure to reference the key “building blocks” in each section
of the Handbook too to ensure that you are covering the
as you and your organization read through important topics as you build your security plan. By the end of
the Handbook and digest the material, and the Handbook, the building blocks, answers to these discussion
consider the accompanying questions with questions, and your notes should form the foundation of a
successful security plan!
your colleagues to help generate productive
discussion.
QUESTIONS TO CONSIDER:
• When can you schedule a conversation to review your security plan with the entire organization?
• What days or times work well for the organization to schedule regular conversations and training about security?
• What steps can leadership take to model good security behavior and a commitment to a security plan? How can
others in the organization play a role in security?
80 CyberSecurity Handbook
A Strong Foundation: Securing Accounts and Devices
QUESTIONS TO CONSIDER:
• How will you implement account security measures - like a password manager and 2FA - across the organization?
What obstacles might you encounter during implementation?
• How will your organization ensure that devices are kept secure and updated? As part of this, will the organization
need a plan to address unlicensed software or computers?
• When is a good time to set up training for all staff on the dangers of phishing, malware, and device security best
practices?
QUESTIONS TO CONSIDER:
• How will your organization implement end-to-end encrypted messaging for secure communication? What
obstacles might you encounter during implementation?
• How will your organization enforce a secure file sharing solution both internally and externally? What obstacles
might you encounter during implementation?
• How will your organization implement a secure data storage and backup solution? What obstacles might you
encounter during implementation?
82 CyberSecurity Handbook
Staying Safe on the Internet
QUESTIONS TO CONSIDER:
• How will your organization implement secure browsing requirements such as HTTPS, a trusted browser, and, if
appropriate, a VPN for staff?
• What will be the key elements of your organization’s social media policy? How will it be enforced?
• How will your organization protect its websites and web properties?
QUESTIONS TO CONSIDER:
• How will the organization distribute and enforce its office guest and access policy?
• Who is responsible for preparing staff for the physical and digital security challenges that they might face while
on travel for work?
• What steps can staff take to keep their devices safe and secure both at the office and while on travel?
84 CyberSecurity Handbook
What to Do When Things Go Wrong
QUESTIONS TO CONSIDER:
• How will the organization distribute and practice its incident response policy?
• Are there resources available for staff who might be in need of emotional and social support in the aftermath of
an incident? If not, how might the organization be able to provide those resources in case of an incident?